Abstract: A system and method for detecting anomalous access to tables is described. A query for accessing a table from a requesting user is received. A set of users similar to the requesting user is determined. The probability that the requesting user should access the table is calculated. Whether the user should be accessing the table based on the calculated probability is determined.

Abstract: A method and apparatus for mobile emulator determination using sound fingerprinting is disclosed. The method includes a verification computer system receiving a transaction request from a computing device purporting to be a mobile device. Responsive to receiving the request, the verification computer system transmits a request for verification information to the computing device. The verification system includes information regarding a tone to be generated by a speaker of the computing device. Thereafter, verification information is received from the computing device. The verification information includes information tone information generated by the computing device, wherein the tone is, after generation, detected by a microphone. The verification system then verifies, based on the receive verification information, whether the information indicates that the computing device is a mobile device.

Abstract: Within an organization, numerous different persons can access data. But a user account with database access may be compromised, leading to data theft and data destruction. Database queries used to access data may vary in length, content, and formatting. Features of these queries can be extracted to train a machine learning classifier. Queries for users can be mapped to a vector space and when a new sample query is received, it can be assessed using the classifier to determine its level of similarity with previous queries by that user and other users. By analyzing the results of this assessment on the new query, it can be determined if this new query represents a data access anomaly—e.g. a particularly unusual query for a user, given his or her past, that may indicate user credentials have been compromised. When a data access anomaly exists, a remedial action may be take.

Abstract: Methods and systems are presented for assessing a veracity of device attributes obtained from a computer device based on estimating a number of processing cycles used by the computer device to perform a particular function. In response to receiving a transaction request from the computer device, software programming instructions are transmitted to the computer device for obtaining device attributes of the computer device. The software programming instructions may also include code that estimate a number of processing cycles used by the computer to perform a particular function. The particular function may be associated with obtaining at least one of the device attributes of the computer device. The estimated number of processing cycles may be compared against a benchmark profile. A risk associated with the transaction request is determined based on the comparing.

Abstract: Systems and methods for integrating, into a first software program binary, segments of a second software program are disclosed. The integration causes the execution of segments of the second software program as the first software program binary is executed. In one embodiment, a second software program, such as an embeddable software application, is received and divided into a plurality of segments, each segment corresponding to a portion of the embeddable software application. Instrumentation points corresponding to the segments of the embeddable software application are inserted into a plurality of locations within a software binary to create a modified software binary. The modified software binary thus includes the selected software binary and the embeddable software program.

Abstract: Computer system security can be threatened by users who manipulate their software to avoid detection of malicious activities—such as account takeover. Web browser software, for example, can be altered so the browser will report false information about the browser itself and/or the system on which it is running. By providing such false information, a user can try to avoid his system being fingerprinted (e.g. identified) so that the user can more effectively instigate electronic attacks without being detected. This disclosure describes techniques that allow for detection of when a user has tampered with their web browser (e.g., by overriding native code functions in the browser). Detecting that a browser has been tampered with can allow a computer server system to take mitigation actions against potentially malicious users, thus improving computer security.

Abstract: Methods and systems are provided to determine when a first electronic device is emulating a second electronic device. The first electronic device may be operated through indirect inputs such as through a mouse and keyboard. The second electronic device may be operated through direct inputs such as inputs received through a touchscreen. Interaction data received from the first electronic device may be used to determine that the first electronic device is operating an emulator. Interaction data may include data associated with scrolling on the electronic device and such data may allow a determination that the electronic device received indirect inputs and, thus, is operating an emulator.

Abstract: An indication is received that a first online platform has undergone/is undergoing a first electronic attack made by one or more actors engaged in online malicious actions with the first online platform. Responsive to the indication of the first electronic attack, one or more vulnerability characteristics of the first online platform are determined, where the vulnerability characteristics are associated with the first electronic attack. A plurality of other online platforms are analyzed to identify a second online platform that shares at least one of the vulnerability characteristics with the first online platform. Based on the determining and/or the analyzing, the second online platform is predicted to be a potential target for a second electronic attack having an attack vector in common with the first electronic attack that corresponds to the shared vulnerability characteristics. An action is performed to mitigate potential damage of the second electronic attack.

Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: A request to access one or more server resources is received from a user device. Based on the request, a purported version of a browser running on the user device is determined. The user device executes a program within the browser, according to various embodiments, which throws one or more exceptions associated with one or more particular browser versions. The results of the exceptions may be analyzed to determine whether the purported version of the browser appears to be a true version of the browser. If the analysis indicates that the purported version of the browser is not accurate, the request to access the one or more server resources may be evaluated at an elevated risk level. Inaccurately reported browser versions may indicate an attempt to gain unauthorized access to an account, and thus, being able to detect a falsely reported browser version can help improve computer security.

Abstract: Systems and methods for integrating, into a first software program binary, segments of a second software program are disclosed. The integration causes the execution of segments of the second software program as the first software program binary is executed. In one embodiment, a second software program, such as an embeddable software application, is received and divided into a plurality of segments, each segment corresponding to a portion of the embeddable software application. Instrumentation points corresponding to the segments of the embeddable software application are inserted into a plurality of locations within a software binary to create a modified software binary. The modified software binary thus includes the selected software binary and the embeddable software program.

Abstract: Systems and methods for integrating, into a first software program binary, segments of a second software program are disclosed. The integration causes the execution of segments of the second software program as the first software program binary is executed. In one embodiment, a second software program, such as an embeddable software application, is received and divided into a plurality of segments, each segment corresponding to a portion of the embeddable software application. Instrumentation points corresponding to the segments of the embeddable software application are inserted into a plurality of locations within a software binary to create a modified software binary. The modified software binary thus includes the selected software binary and the embeddable software program.

Abstract: Techniques for identifying weaknesses in a probabilistic model such as an artificial neural network using an iterative process are disclosed. A seed file may be obtained and variant files generated therefrom. The variant files may be evaluated for their fitness, based upon the ability of the variant files to cause the probabilistic model to fail. The fittest variants, which may refer to those variants that are most successful in causing the model to fail, may be selected. From these selected variants, a next generation of variant files may be created. The next generation of variant files may be evaluated for their fitness. At each step of fitness evaluation or at the end of the iterative process, a map of the fittest variants may be generated to identify hotspots. These hotspots may reveal segments of code or a file that are problematic for the model, which can be used to improve the model.

Abstract: A system for discovering programming variants. The system analyzes system calls from executing a program to generate programming code or executable for a particular OS and/or CPU that would perform the same or similar actions as the program. The code that is generated is then mutated, augmented, and/or changed to create variations of the program which still functions and/or obtains the same objectives as the original code.

Abstract: A system for discovering programming variants. The system analyzes system calls from executing a program to generate programming code or executable for a particular OS and/or CPU that would perform the same or similar actions as the program. The code that is generated is then mutated, augmented, and/or changed to create variations of the program which still functions and/or obtains the same objectives as the original code.